Common Phishing Attack Vectors Revisited

Phishing is the most popular and potent attack vector and is categorized as a social engineering attack often used to steal user data, including login credentials and credit card numbers. The goal of phishing via social engineering is to trick the victim into believing that the message they receive from the phishing perpetrator contains something they want or need — a request from their bank, for instance, or a note from someone within their company — and to click a link or download an attachment. The attacker's primary goal is to compromise systems to obtain usernames, passwords and other account and/or financial data.

In fact, with the right phishing network in place, some information gathering and the proper bait, attackers can gain access to just about any company or organization — even government agencies — and inflict devastating damage. The way phishing scams operate is pretty straightforward. Once a victim has fallen for the ploy and unsuspectingly entered their personal information on a forged site or in response to an email, the attacker then uses that information for personal gain.

Phishing is not only highly common, but it’s arguably the most damaging and high-profile cybersecurity threat facing organizations today.

There are three common phishing vectors that you need to keep an eye out for:

1. Email Phishing:

From business executives to internet surfers at home, anyone who opens an unknown email and trusts its content is vulnerable to this classic manipulation tactic. Researchers at Symantec suggestthat almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day. Most people simply don't have the time to carefully analyze every message that lands in their inbox and that's exactly what phishers are hoping to exploit in various ways.

How do you discern a real email versus a phishing scam?The best way to fight back is by staying educated on the signs, and by being vigilant. Make sure you check the URL for legitimacy. Hover over the link to see if it might be fake, and if it seems even remotely questionable, don’t click on it.

2. Cloud Storage Phishing:

Cloud service providers such as Amazon, Google, and Dropbox have recently become the target of phishing scammers. Generally, the scammers send victims attachments requesting that the user log into their cloud provider through a dummy portal, capturing private login information in the process. Many of the phishing campaigns targeting cloud storage providers contain lures (information to make phishing content appear more legitimate) saying that a document or picture has been shared with the victim and encourage them to sign into their account in order to view it. Being that many of us trust the cloud implicitly with our personal data, remain alert when an unknown attachment comes through.

3. Mobile Phishing:

More and more phishing scammers are shifting their focus towards attacking users through their smartphones, since mobile applications have become ideal vectors for attack. Mobile phishing is an emerging threat in today’s connected world. In a mobile phishing attack, an attacker usually sends an SMS message containing links to phishing web pages or applications which, if visited, ask for credentials.

Stay informed about phishing techniques. New phishing scams are being developed all the time. If you aren't staying on top of these new phishing techniques, you could inadvertently become a victim. Keep your eyes peeled for news about the latest phishing scams. By finding out about them as early as possible, you will be at a much lower risk of getting snared.

Do not click on links, download files or open attachments in emails from unknown senders. It is best to open attachments only when you are expecting them and know exactly what they contain, even if you know the sender.

Never email personal or financial information, even if you are close with the recipient. You never know who may gain access to your email account, or to the person’s account to whom you are emailing.

Never enter personal information in a pop-up screen. It's never a good idea.

Keep your browser updated. Security patches are routinely released for popular browsers. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, put a stop to that habit. The minute an update is available, download and install it.

Install an anti-phishing toolbar. Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you to it. This is just one more layer of protection against phishing scams, and it is completely free.

Nobody wants to fall prey to a phishing scam. There’s a good reason that such scams will continue, though: they're successful enough for cybercriminals to make massive profits. Fortunately, there are ways to avoid becoming a victim.